There are several options if no regex or value can be transformed/ replaced:

  1. Use untransformed values
    The values are processed as sent by the identity provider.

  2. Ignore the attribute
    The attribute will be ignored and will not be updated/ saved for this user.
    Existing values will not be changed.

  3. Clear the attribute value
    Only the attributes that could be transformed are assigned, all other values are being removed.
    For example, the identity provider sends three groups "A", "B" and "C" and only "C" is transformed, "A" and "B" are being removed.
    If the identity provider sends three groups "A", "B" and "C" and no transformation applies for these, none will be assigned.

  4. Filter the user
    The user will be filtered if no transformation rule is applied. In the context of SAML SSO, authentication will for this user fails.
    In the context of UserSync, the user will not be synced or the cleanup behaviour is applied if the user existed already.
    The below depicts a User Sync connector's Sync Settings tab with the cleanup behavior which is always only applied at the end of a full synchronization.